A study on two aspects of a new email infrastructure used to deliver over a million malware-laden emails per month has recently been published by Microsoft. This infrastructure has been used to distribute at least seven different forms of malware, and seems to be a replacement after the destruction of the Necurs botnet.
Emerging email platform for attackers
The development of this infrastructure goes back to March and April 2020. This email infrastructure, consisting of two segments called StrangeU and RandomU, has been observed and evaluated by Microsoft since then.
- The infrastructure of StrangeU (using the term strange in new domains) and RandomU (creating random domain names) has mainly targeted victims in financial services, hospitals, and bulk delivery in Australia, the United States, and the United Kingdom.
- The infrastructure has been used to primarily target corporate email addresses, while ignoring user accounts, from commodity malware such as Makop and Mondfoxia to distributing persistent malware like Trickbot, Dofoil, Emotet, Dopplepaymer, and Dridex.
- According to Microsoft, though, the basics of having initial access to applications have remained the same. Spear-phishing emails, false alarms, emergency updates, and trendy lures were the key strategies and instruments.
Current attacks focused on emails
Several attack attempts have been seen in recent months exploiting email infrastructure to threaten possible victims.
- Scammers were observed last month exploiting some gaps in Microsoft 365 read receipts and out of office answers to threaten their victims.
- In the same month, in order to spy on targets, attackers hijacked email security links from a Mimecast-issued certificate used to authenticate some of the company’s goods on Microsoft 365 Exchange Web Services.
The use of advanced strategies for email networks such as complex domain-name creation suggests that cybercriminals make daily investments in developing their email-based attack tactics. In order to obtain initial access to networks, attackers repeatedly rely on familiar malicious techniques, such as emails with malicious connections or attachments. This calls for an immediate need to tighten protection through corporate networks centered on email.